xref: /external/libnetfilter_conntrack/include/libnetfilter_conntrack/libnetfilter_conntrack.h

/*
 * (C) 2005-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 */

#ifndef _LIBNETFILTER_CONNTRACK_H_
#define _LIBNETFILTER_CONNTRACK_H_

#include <stdbool.h>
#include <netinet/in.h>
#include <libnfnetlink/linux_nfnetlink.h>
#include <libnfnetlink/libnfnetlink.h>
#include <libnetfilter_conntrack/linux_nfnetlink_conntrack.h>

#ifdef __cplusplus
extern "C" {
#endif

enum {
	CONNTRACK = NFNL_SUBSYS_CTNETLINK,
	EXPECT = NFNL_SUBSYS_CTNETLINK_EXP
};

/*
 * Subscribe to all possible conntrack event groups. Use this
 * flag in case that you want to catch up all the possible
 * events. Do not use this flag for dumping or any other
 * similar operation.
 */
#define NFCT_ALL_CT_GROUPS (NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_UPDATE|NF_NETLINK_CONNTRACK_DESTROY)

struct nfct_handle;

/*
 * [Open|close] a conntrack handler
 */
extern struct nfct_handle *nfct_open(uint8_t, unsigned);
extern struct nfct_handle *nfct_open2(uint8_t, unsigned, int);
extern struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh,
					  uint8_t subsys_id,
					  unsigned int subscriptions);
extern struct nfct_handle *nfct_open_nfnl2(struct nfnl_handle *nfnlh,
					  uint8_t subsys_id,
					  unsigned int subscriptions,
					  bool bind);
extern int nfct_close(struct nfct_handle *cth);
extern int nfct_close2(struct nfct_handle *cth, bool keep_fd);

extern int nfct_fd(struct nfct_handle *cth);
extern const struct nfnl_handle *nfct_nfnlh(struct nfct_handle *cth);

/*
 * NEW libnetfilter_conntrack API
 */

/* high level API */

#include <sys/types.h>

/* conntrack object */
struct nf_conntrack;

/* conntrack attributes */
enum nf_conntrack_attr {
	ATTR_ORIG_IPV4_SRC = 0,			/* u32 bits */
	ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC,	/* alias */
	ATTR_ORIG_IPV4_DST,			/* u32 bits */
	ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST,	/* alias */
	ATTR_REPL_IPV4_SRC,			/* u32 bits */
	ATTR_REPL_IPV4_DST,			/* u32 bits */
	ATTR_ORIG_IPV6_SRC = 4,			/* u128 bits */
	ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC,	/* alias */
	ATTR_ORIG_IPV6_DST,			/* u128 bits */
	ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST,	/* alias */
	ATTR_REPL_IPV6_SRC,			/* u128 bits */
	ATTR_REPL_IPV6_DST,			/* u128 bits */
	ATTR_ORIG_PORT_SRC = 8,			/* u16 bits */
	ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC,	/* alias */
	ATTR_ORIG_PORT_DST,			/* u16 bits */
	ATTR_PORT_DST = ATTR_ORIG_PORT_DST,	/* alias */
	ATTR_REPL_PORT_SRC,			/* u16 bits */
	ATTR_REPL_PORT_DST,			/* u16 bits */
	ATTR_ICMP_TYPE = 12,			/* u8 bits */
	ATTR_ICMP_CODE,				/* u8 bits */
	ATTR_ICMP_ID,				/* u16 bits */
	ATTR_ORIG_L3PROTO,			/* u8 bits */
	ATTR_L3PROTO = ATTR_ORIG_L3PROTO,	/* alias */
	ATTR_REPL_L3PROTO = 16,			/* u8 bits */
	ATTR_ORIG_L4PROTO,			/* u8 bits */
	ATTR_L4PROTO = ATTR_ORIG_L4PROTO,	/* alias */
	ATTR_REPL_L4PROTO,			/* u8 bits */
	ATTR_TCP_STATE,				/* u8 bits */
	ATTR_SNAT_IPV4 = 20,			/* u32 bits */
	ATTR_DNAT_IPV4,				/* u32 bits */
	ATTR_SNAT_PORT,				/* u16 bits */
	ATTR_DNAT_PORT,				/* u16 bits */
	ATTR_TIMEOUT = 24,			/* u32 bits */
	ATTR_MARK,				/* u32 bits */
	ATTR_ORIG_COUNTER_PACKETS,		/* u64 bits */
	ATTR_REPL_COUNTER_PACKETS,		/* u64 bits */
	ATTR_ORIG_COUNTER_BYTES = 28,		/* u64 bits */
	ATTR_REPL_COUNTER_BYTES,		/* u64 bits */
	ATTR_USE,				/* u32 bits */
	ATTR_ID,				/* u32 bits */
	ATTR_STATUS = 32,			/* u32 bits  */
	ATTR_TCP_FLAGS_ORIG,			/* u8 bits */
	ATTR_TCP_FLAGS_REPL,			/* u8 bits */
	ATTR_TCP_MASK_ORIG,			/* u8 bits */
	ATTR_TCP_MASK_REPL = 36,		/* u8 bits */
	ATTR_MASTER_IPV4_SRC,			/* u32 bits */
	ATTR_MASTER_IPV4_DST,			/* u32 bits */
	ATTR_MASTER_IPV6_SRC,			/* u128 bits */
	ATTR_MASTER_IPV6_DST = 40,		/* u128 bits */
	ATTR_MASTER_PORT_SRC,			/* u16 bits */
	ATTR_MASTER_PORT_DST,			/* u16 bits */
	ATTR_MASTER_L3PROTO,			/* u8 bits */
	ATTR_MASTER_L4PROTO = 44,		/* u8 bits */
	ATTR_SECMARK,				/* u32 bits */
	ATTR_ORIG_NAT_SEQ_CORRECTION_POS,	/* u32 bits */
	ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE,	/* u32 bits */
	ATTR_ORIG_NAT_SEQ_OFFSET_AFTER = 48,	/* u32 bits */
	ATTR_REPL_NAT_SEQ_CORRECTION_POS,	/* u32 bits */
	ATTR_REPL_NAT_SEQ_OFFSET_BEFORE,	/* u32 bits */
	ATTR_REPL_NAT_SEQ_OFFSET_AFTER,		/* u32 bits */
	ATTR_SCTP_STATE = 52,			/* u8 bits */
	ATTR_SCTP_VTAG_ORIG,			/* u32 bits */
	ATTR_SCTP_VTAG_REPL,			/* u32 bits */
	ATTR_HELPER_NAME,			/* string (30 bytes max) */
	ATTR_DCCP_STATE = 56,			/* u8 bits */
	ATTR_DCCP_ROLE,				/* u8 bits */
	ATTR_DCCP_HANDSHAKE_SEQ,		/* u64 bits */
	ATTR_TCP_WSCALE_ORIG,			/* u8 bits */
	ATTR_TCP_WSCALE_REPL = 60,		/* u8 bits */
	ATTR_ZONE,				/* u16 bits */
	ATTR_SECCTX,				/* string */
	ATTR_TIMESTAMP_START,			/* u64 bits, linux >= 2.6.38 */
	ATTR_TIMESTAMP_STOP = 64,		/* u64 bits, linux >= 2.6.38 */
	ATTR_HELPER_INFO,			/* variable length */
	ATTR_CONNLABELS,			/* variable length */
	ATTR_CONNLABELS_MASK,			/* variable length */
	ATTR_ORIG_ZONE,				/* u16 bits */
	ATTR_REPL_ZONE,				/* u16 bits */
	ATTR_SNAT_IPV6,				/* u128 bits */
	ATTR_DNAT_IPV6,				/* u128 bits */
	ATTR_MAX
};

/* conntrack attribute groups */
enum nf_conntrack_attr_grp {
	ATTR_GRP_ORIG_IPV4 = 0,			/* struct nfct_attr_grp_ipv4 */
	ATTR_GRP_REPL_IPV4,			/* struct nfct_attr_grp_ipv4 */
	ATTR_GRP_ORIG_IPV6,			/* struct nfct_attr_grp_ipv6 */
	ATTR_GRP_REPL_IPV6,			/* struct nfct_attr_grp_ipv6 */
	ATTR_GRP_ORIG_PORT = 4,			/* struct nfct_attr_grp_port */
	ATTR_GRP_REPL_PORT,			/* struct nfct_attr_grp_port */
	ATTR_GRP_ICMP,				/* struct nfct_attr_grp_icmp */
	ATTR_GRP_MASTER_IPV4,			/* struct nfct_attr_grp_ipv4 */
	ATTR_GRP_MASTER_IPV6 = 8,		/* struct nfct_attr_grp_ipv6 */
	ATTR_GRP_MASTER_PORT,			/* struct nfct_attr_grp_port */
	ATTR_GRP_ORIG_COUNTERS,			/* struct nfct_attr_grp_ctrs */
	ATTR_GRP_REPL_COUNTERS,			/* struct nfct_attr_grp_ctrs */
	ATTR_GRP_ORIG_ADDR_SRC = 12,		/* union nfct_attr_grp_addr */
	ATTR_GRP_ORIG_ADDR_DST,			/* union nfct_attr_grp_addr */
	ATTR_GRP_REPL_ADDR_SRC,			/* union nfct_attr_grp_addr */
	ATTR_GRP_REPL_ADDR_DST,			/* union nfct_attr_grp_addr */
	ATTR_GRP_MAX
};

struct nfct_attr_grp_ipv4 {
	uint32_t src, dst;
};

struct nfct_attr_grp_ipv6 {
	uint32_t src[4], dst[4];
};

struct nfct_attr_grp_port {
	uint16_t sport, dport;
};

struct nfct_attr_grp_icmp {
	uint16_t id;
	uint8_t code, type;
};

struct nfct_attr_grp_ctrs {
	uint64_t packets;
	uint64_t bytes;
};

union nfct_attr_grp_addr {
	uint32_t ip;
	uint32_t ip6[4];
	uint32_t addr[4];
};

/* message type */
enum nf_conntrack_msg_type {
	NFCT_T_UNKNOWN = 0,

	NFCT_T_NEW_BIT = 0,
	NFCT_T_NEW = (1 << NFCT_T_NEW_BIT),

	NFCT_T_UPDATE_BIT = 1,
	NFCT_T_UPDATE = (1 << NFCT_T_UPDATE_BIT),

	NFCT_T_DESTROY_BIT = 2,
	NFCT_T_DESTROY = (1 << NFCT_T_DESTROY_BIT),

	NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY,

	NFCT_T_ERROR_BIT = 31,
	NFCT_T_ERROR = (1 << NFCT_T_ERROR_BIT),
};

/* constructor / destructor */
extern struct nf_conntrack *nfct_new(void);
extern void nfct_destroy(struct nf_conntrack *ct);

/* clone */
struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct);

/* object size */
extern __attribute__((deprecated)) size_t nfct_sizeof(const struct nf_conntrack *ct);

/* maximum object size */
extern __attribute__((deprecated)) size_t nfct_maxsize(void);

/* set option */
enum {
	NFCT_SOPT_UNDO_SNAT,
	NFCT_SOPT_UNDO_DNAT,
	NFCT_SOPT_UNDO_SPAT,
	NFCT_SOPT_UNDO_DPAT,
	NFCT_SOPT_SETUP_ORIGINAL,
	NFCT_SOPT_SETUP_REPLY,
	__NFCT_SOPT_MAX,
};
#define NFCT_SOPT_MAX (__NFCT_SOPT_MAX - 1)

/* get option */
enum {
	NFCT_GOPT_IS_SNAT,
	NFCT_GOPT_IS_DNAT,
	NFCT_GOPT_IS_SPAT,
	NFCT_GOPT_IS_DPAT,
	__NFCT_GOPT_MAX,
};
#define NFCT_GOPT_MAX (__NFCT_GOPT_MAX - 1)

extern int nfct_setobjopt(struct nf_conntrack *ct, unsigned int option);
extern int nfct_getobjopt(const struct nf_conntrack *ct, unsigned int option);

/* register / unregister callback */

extern int nfct_callback_register(struct nfct_handle *h,
				  enum nf_conntrack_msg_type type,
				  int (*cb)(enum nf_conntrack_msg_type type,
				  	    struct nf_conntrack *ct,
					    void *data),
				  void *data);

extern void nfct_callback_unregister(struct nfct_handle *h);

/* register / unregister callback: extended version including netlink header */

extern int nfct_callback_register2(struct nfct_handle *h,
				   enum nf_conntrack_msg_type type,
				   int (*cb)(const struct nlmsghdr *nlh,
				   	     enum nf_conntrack_msg_type type,
				  	     struct nf_conntrack *ct,
					     void *data),
				   void *data);

extern void nfct_callback_unregister2(struct nfct_handle *h);

/* callback verdict */
enum {
	NFCT_CB_FAILURE = -1,   /* failure */
	NFCT_CB_STOP = 0,       /* stop the query */
	NFCT_CB_CONTINUE = 1,   /* keep iterating through data */
	NFCT_CB_STOLEN = 2,     /* like continue, but ct is not freed */
};

/* bitmask setter/getter */
struct nfct_bitmask;

struct nfct_bitmask *nfct_bitmask_new(unsigned int maxbit);
struct nfct_bitmask *nfct_bitmask_clone(const struct nfct_bitmask *);
unsigned int nfct_bitmask_maxbit(const struct nfct_bitmask *);

void nfct_bitmask_set_bit(struct nfct_bitmask *, unsigned int bit);
int nfct_bitmask_test_bit(const struct nfct_bitmask *, unsigned int bit);
void nfct_bitmask_unset_bit(struct nfct_bitmask *, unsigned int bit);
void nfct_bitmask_destroy(struct nfct_bitmask *);
void nfct_bitmask_clear(struct nfct_bitmask *);
bool nfct_bitmask_equal(const struct nfct_bitmask *, const struct nfct_bitmask *);

/* connlabel name <-> bit translation mapping */
struct nfct_labelmap;

const char *nfct_labels_get_path(void);
struct nfct_labelmap *nfct_labelmap_new(const char *mapfile);
void nfct_labelmap_destroy(struct nfct_labelmap *map);
const char *nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit);
int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name);

/* setter */
extern void nfct_set_attr(struct nf_conntrack *ct,
			  const enum nf_conntrack_attr type,
			  const void *value);

extern void nfct_set_attr_u8(struct nf_conntrack *ct,
			     const enum nf_conntrack_attr type,
			     uint8_t value);

extern void nfct_set_attr_u16(struct nf_conntrack *ct,
			      const enum nf_conntrack_attr type,
			      uint16_t value);

extern void nfct_set_attr_u32(struct nf_conntrack *ct,
			      const enum nf_conntrack_attr type,
			      uint32_t value);

extern void nfct_set_attr_u64(struct nf_conntrack *ct,
			      const enum nf_conntrack_attr type,
			      uint64_t value);

extern void nfct_set_attr_l(struct nf_conntrack *ct,
			    const enum nf_conntrack_attr type,
			    const void *value,
			    size_t len);

/* getter */
extern const void *nfct_get_attr(const struct nf_conntrack *ct,
				 const enum nf_conntrack_attr type);

extern uint8_t nfct_get_attr_u8(const struct nf_conntrack *ct,
				 const enum nf_conntrack_attr type);

extern uint16_t nfct_get_attr_u16(const struct nf_conntrack *ct,
				   const enum nf_conntrack_attr type);

extern uint32_t nfct_get_attr_u32(const struct nf_conntrack *ct,
				   const enum nf_conntrack_attr type);

extern uint64_t nfct_get_attr_u64(const struct nf_conntrack *ct,
				   const enum nf_conntrack_attr type);

/* checker */
extern int nfct_attr_is_set(const struct nf_conntrack *ct,
			    const enum nf_conntrack_attr type);

extern int nfct_attr_is_set_array(const struct nf_conntrack *ct,
				  const enum nf_conntrack_attr *type_array,
				  int size);

/* unsetter */
extern int nfct_attr_unset(struct nf_conntrack *ct,
			   const enum nf_conntrack_attr type);

/* group setter */
extern void nfct_set_attr_grp(struct nf_conntrack *ct,
			      const enum nf_conntrack_attr_grp type,
			      const void *value);
/* group getter */
extern int nfct_get_attr_grp(const struct nf_conntrack *ct,
			     const enum nf_conntrack_attr_grp type,
			     void *data);

/* group checker */
extern int nfct_attr_grp_is_set(const struct nf_conntrack *ct,
				const enum nf_conntrack_attr_grp type);

/* unsetter */
extern int nfct_attr_grp_unset(struct nf_conntrack *ct,
			       const enum nf_conntrack_attr_grp type);

/* print */

/* output type */
enum {
	NFCT_O_PLAIN,
	NFCT_O_DEFAULT = NFCT_O_PLAIN,
	NFCT_O_XML,
	NFCT_O_MAX
};

/* output flags */
enum {
	NFCT_OF_SHOW_LAYER3_BIT = 0,
	NFCT_OF_SHOW_LAYER3 = (1 << NFCT_OF_SHOW_LAYER3_BIT),

	NFCT_OF_TIME_BIT = 1,
	NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),

	NFCT_OF_ID_BIT = 2,
	NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),

	NFCT_OF_TIMESTAMP_BIT = 3,
	NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT),
};

extern int nfct_snprintf(char *buf,
			 unsigned int size,
			 const struct nf_conntrack *ct,
			 const unsigned int msg_type,
			 const unsigned int out_type,
			 const unsigned int out_flags);

extern int nfct_snprintf_labels(char *buf,
				unsigned int size,
				const struct nf_conntrack *ct,
				const unsigned int msg_type,
				const unsigned int out_type,
				const unsigned int out_flags,
				struct nfct_labelmap *map);

/* comparison */
extern int nfct_compare(const struct nf_conntrack *ct1,
			const struct nf_conntrack *ct2);

enum {
	NFCT_CMP_ALL = 0,
	NFCT_CMP_ORIG = (1 << 0),
	NFCT_CMP_REPL = (1 << 1),
	NFCT_CMP_TIMEOUT_EQ = (1 << 2),
	NFCT_CMP_TIMEOUT_GT = (1 << 3),
	NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
	NFCT_CMP_TIMEOUT_LT = (1 << 4),
	NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
	NFCT_CMP_MASK = (1 << 5),
	NFCT_CMP_STRICT = (1 << 6),
};

extern int nfct_cmp(const struct nf_conntrack *ct1,
		    const struct nf_conntrack *ct2,
		    unsigned int flags);


/* query */
enum nf_conntrack_query {
	NFCT_Q_CREATE,
	NFCT_Q_UPDATE,
	NFCT_Q_DESTROY,
	NFCT_Q_GET,
	NFCT_Q_FLUSH,
	NFCT_Q_DUMP,
	NFCT_Q_DUMP_RESET,
	NFCT_Q_CREATE_UPDATE,
	NFCT_Q_DUMP_FILTER,
	NFCT_Q_DUMP_FILTER_RESET,
};

extern int nfct_query(struct nfct_handle *h,
		      const enum nf_conntrack_query query,
		      const void *data);

extern int nfct_send(struct nfct_handle *h,
		     const enum nf_conntrack_query query,
		     const void *data);

extern int nfct_catch(struct nfct_handle *h);

/* copy */
enum {
	NFCT_CP_ALL = 0,
	NFCT_CP_ORIG = (1 << 0),
	NFCT_CP_REPL = (1 << 1),
	NFCT_CP_META = (1 << 2),
	NFCT_CP_OVERRIDE = (1 << 3),
};

extern void nfct_copy(struct nf_conntrack *dest,
		      const struct nf_conntrack *source,
		      unsigned int flags);

extern void nfct_copy_attr(struct nf_conntrack *ct1,
			   const struct nf_conntrack *ct2,
			   const enum nf_conntrack_attr type);

/* event filtering */

struct nfct_filter;

extern struct nfct_filter *nfct_filter_create(void);
extern void nfct_filter_destroy(struct nfct_filter *filter);

struct nfct_filter_proto {
	uint16_t proto;
	uint16_t state;
};
struct nfct_filter_ipv4 {
	uint32_t addr;
	uint32_t mask;
};
struct nfct_filter_ipv6 {
	uint32_t addr[4];
	uint32_t mask[4];
};

enum nfct_filter_attr {
	NFCT_FILTER_L4PROTO = 0,	/* uint32_t */
	NFCT_FILTER_L4PROTO_STATE,	/* struct nfct_filter_proto */
	NFCT_FILTER_SRC_IPV4,		/* struct nfct_filter_ipv4 */
	NFCT_FILTER_DST_IPV4,		/* struct nfct_filter_ipv4 */
	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
	NFCT_FILTER_MARK,		/* struct nfct_filter_dump_mark */
	NFCT_FILTER_MAX
};

extern void nfct_filter_add_attr(struct nfct_filter *filter,
				 const enum nfct_filter_attr attr,
				 const void *value);

extern void nfct_filter_add_attr_u32(struct nfct_filter *filter,
				     const enum nfct_filter_attr attr,
				     const uint32_t value);

enum nfct_filter_logic {
	NFCT_FILTER_LOGIC_POSITIVE,
	NFCT_FILTER_LOGIC_NEGATIVE,
	NFCT_FILTER_LOGIC_MAX
};

extern int nfct_filter_set_logic(struct nfct_filter *filter,
				 const enum nfct_filter_attr attr,
				 const enum nfct_filter_logic logic);

extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
extern int nfct_filter_detach(int fd);

/* dump filtering */

struct nfct_filter_dump;

struct nfct_filter_dump_mark {
	uint32_t val;
	uint32_t mask;
};

enum nfct_filter_dump_attr {
	NFCT_FILTER_DUMP_MARK = 0,	/* struct nfct_filter_dump_mark */
	NFCT_FILTER_DUMP_L3NUM,		/* uint8_t */
	NFCT_FILTER_DUMP_MAX
};

struct nfct_filter_dump *nfct_filter_dump_create(void);

void nfct_filter_dump_destroy(struct nfct_filter_dump *filter);

void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
			       const enum nfct_filter_dump_attr type,
			       const void *data);

void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
				  const enum nfct_filter_dump_attr type,
				  uint8_t data);

/* low level API: netlink functions */

extern __attribute__((deprecated)) int
nfct_build_conntrack(struct nfnl_subsys_handle *ssh,
				void *req,
				size_t size,
				uint16_t type,
				uint16_t flags,
				const struct nf_conntrack *ct);

extern __attribute__((deprecated))
int nfct_parse_conntrack(enum nf_conntrack_msg_type msg,
				const struct nlmsghdr *nlh,
				struct nf_conntrack *ct);

extern __attribute__((deprecated))
int nfct_build_query(struct nfnl_subsys_handle *ssh,
			    const enum nf_conntrack_query query,
			    const void *data,
			    void *req,
			    unsigned int size);

/* New low level API: netlink functions */

extern int nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct);
extern int nfct_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_conntrack *ct);
extern int nfct_payload_parse(const void *payload, size_t payload_len, uint16_t l3num, struct nf_conntrack *ct);

/*
 * NEW expectation API
 */

/* expectation object */
struct nf_expect;

/* expect attributes */
enum nf_expect_attr {
	ATTR_EXP_MASTER = 0,	/* pointer to conntrack object */
	ATTR_EXP_EXPECTED,	/* pointer to conntrack object */
	ATTR_EXP_MASK,		/* pointer to conntrack object */
	ATTR_EXP_TIMEOUT,	/* u32 bits */
	ATTR_EXP_ZONE,		/* u16 bits */
	ATTR_EXP_FLAGS,		/* u32 bits */
	ATTR_EXP_HELPER_NAME,	/* string (16 bytes max) */
	ATTR_EXP_CLASS,		/* u32 bits */
	ATTR_EXP_NAT_TUPLE,	/* pointer to conntrack object */
	ATTR_EXP_NAT_DIR,	/* u8 bits */
	ATTR_EXP_FN,		/* string */
	ATTR_EXP_MAX
};

/* constructor / destructor */
extern struct nf_expect *nfexp_new(void);
extern void nfexp_destroy(struct nf_expect *exp);

/* clone */
extern struct nf_expect *nfexp_clone(const struct nf_expect *exp);

/* object size */
extern size_t nfexp_sizeof(const struct nf_expect *exp);

/* maximum object size */
extern size_t nfexp_maxsize(void);

/* register / unregister callback */

extern int nfexp_callback_register(struct nfct_handle *h,
				   enum nf_conntrack_msg_type type,
				   int (*cb)(enum nf_conntrack_msg_type type,
				  	     struct nf_expect *exp,
					     void *data),
				   void *data);

extern void nfexp_callback_unregister(struct nfct_handle *h);

/* register / unregister callback: extended version including netlink header */
extern int nfexp_callback_register2(struct nfct_handle *h,
				    enum nf_conntrack_msg_type type,
				    int (*cb)(const struct nlmsghdr *nlh,
				    	      enum nf_conntrack_msg_type type,
					      struct nf_expect *exp,
					      void *data),
				    void *data);

extern void nfexp_callback_unregister2(struct nfct_handle *h);

/* setter */
extern void nfexp_set_attr(struct nf_expect *exp,
			   const enum nf_expect_attr type,
			   const void *value);

extern void nfexp_set_attr_u8(struct nf_expect *exp,
			      const enum nf_expect_attr type,
			      uint8_t value);

extern void nfexp_set_attr_u16(struct nf_expect *exp,
			       const enum nf_expect_attr type,
			       uint16_t value);

extern void nfexp_set_attr_u32(struct nf_expect *exp,
			       const enum nf_expect_attr type,
			       uint32_t value);

/* getter */
extern const void *nfexp_get_attr(const struct nf_expect *exp,
				  const enum nf_expect_attr type);

extern uint8_t nfexp_get_attr_u8(const struct nf_expect *exp,
				  const enum nf_expect_attr type);

extern uint16_t nfexp_get_attr_u16(const struct nf_expect *exp,
				    const enum nf_expect_attr type);

extern uint32_t nfexp_get_attr_u32(const struct nf_expect *exp,
				    const enum nf_expect_attr type);

/* checker */
extern int nfexp_attr_is_set(const struct nf_expect *exp,
			     const enum nf_expect_attr type);

/* unsetter */
extern int nfexp_attr_unset(struct nf_expect *exp,
			    const enum nf_expect_attr type);

/* query */
extern int nfexp_query(struct nfct_handle *h,
		       const enum nf_conntrack_query qt,
		       const void *data);

/* print */
extern int nfexp_snprintf(char *buf,
			  unsigned int size,
			  const struct nf_expect *exp,
			  const unsigned int msg_type,
			  const unsigned int out_type,
			  const unsigned int out_flags);

/* compare */
extern int nfexp_cmp(const struct nf_expect *exp1,
		     const struct nf_expect *exp2,
		     unsigned int flags);

extern int nfexp_send(struct nfct_handle *h,
		      const enum nf_conntrack_query qt,
		      const void *data);

extern int nfexp_catch(struct nfct_handle *h);

/* low level API */
extern __attribute__((deprecated))
int nfexp_build_expect(struct nfnl_subsys_handle *ssh,
			      void *req,
			      size_t size,
			      uint16_t type,
			      uint16_t flags,
			      const struct nf_expect *exp);

extern __attribute__((deprecated))
int nfexp_parse_expect(enum nf_conntrack_msg_type type,
			      const struct nlmsghdr *nlh,
			      struct nf_expect *exp);

extern __attribute__((deprecated))
int nfexp_build_query(struct nfnl_subsys_handle *ssh,
			     const enum nf_conntrack_query qt,
			     const void *data,
			     void *buffer,
			     unsigned int size);

/* New low level API: netlink functions */

extern int nfexp_nlmsg_build(struct nlmsghdr *nlh, const struct nf_expect *exp);
extern int nfexp_nlmsg_parse(const struct nlmsghdr *nlh, struct nf_expect *exp);

/* Bitset representing status of connection. Taken from ip_conntrack.h
 *
 * Note: For backward compatibility this shouldn't ever change
 * 	 in kernel space.
 */
enum ip_conntrack_status {
	/* It's an expected connection: bit 0 set.  This bit never changed */
	IPS_EXPECTED_BIT = 0,
	IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),

	/* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
	IPS_SEEN_REPLY_BIT = 1,
	IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),

	/* Conntrack should never be early-expired. */
	IPS_ASSURED_BIT = 2,
	IPS_ASSURED = (1 << IPS_ASSURED_BIT),

	/* Connection is confirmed: originating packet has left box */
	IPS_CONFIRMED_BIT = 3,
	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),

	/* Connection needs src nat in orig dir.  This bit never changed. */
	IPS_SRC_NAT_BIT = 4,
	IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),

	/* Connection needs dst nat in orig dir.  This bit never changed. */
	IPS_DST_NAT_BIT = 5,
	IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),

	/* Both together. */
	IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),

	/* Connection needs TCP sequence adjusted. */
	IPS_SEQ_ADJUST_BIT = 6,
	IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),

	/* NAT initialization bits. */
	IPS_SRC_NAT_DONE_BIT = 7,
	IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),

	IPS_DST_NAT_DONE_BIT = 8,
	IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),

	/* Both together */
	IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),

	/* Connection is dying (removed from lists), can not be unset. */
	IPS_DYING_BIT = 9,
	IPS_DYING = (1 << IPS_DYING_BIT),

	/* Connection has fixed timeout. */
	IPS_FIXED_TIMEOUT_BIT = 10,
	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),

	/* Conntrack is a template */
	IPS_TEMPLATE_BIT = 11,
	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),

	/* Conntrack is a fake untracked entry */
	IPS_UNTRACKED_BIT = 12,
	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
};

/* expectation flags */
#define NF_CT_EXPECT_PERMANENT          0x1
#define NF_CT_EXPECT_INACTIVE           0x2
#define NF_CT_EXPECT_USERSPACE          0x4

/*
 * TCP flags
 */

/* Window scaling is advertised by the sender */
#define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01

/* SACK is permitted by the sender */
#define IP_CT_TCP_FLAG_SACK_PERM                0x02

/* This sender sent FIN first */
#define IP_CT_TCP_FLAG_CLOSE_INIT               0x04

/* Be liberal in window checking */
#define IP_CT_TCP_FLAG_BE_LIBERAL               0x08

/* WARNING: do not use these constants in new applications, we keep them here
 * to avoid breaking backward compatibility. */
#define NFCT_DIR_ORIGINAL 0
#define NFCT_DIR_REPLY 1
#define NFCT_DIR_MAX NFCT_DIR_REPLY+1

/* xt_helper uses a length size of 30 bytes, however, no helper name in
 * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum
 * length accepted is 16 bytes, this limit is enforced during module load. */
#define NFCT_HELPER_NAME_MAX	16

#ifdef __cplusplus
}
#endif

#endif	/* _LIBNETFILTER_CONNTRACK_H_ */